Black Hat 25: The evolution of ransomware

The Verkada security breach exposed data from thousands of surveillance cameras.
Courtesy: CFE Media and Technology

Black Hat was recently in Las Vegas for their 25-year anniversary. Before the primary event began, Omdia — an analytics and consulting firm — held an analyst summit to discuss various aspects of the cybersecurity world. At this event, Senior Analyst Fernando Montenegro spoke on the evolution of ransomware.

The evolution of ransomware

Ransomware has been around for several decades, with the first ransomware attack being the AIDS/Trojan attack in 1989. This attack propagated through a quiz on a floppy disk that eventually would use a pay wall that required user to send a payment to access the computer again.

The next marker of a shift in ransomware took place with the police trojan ransomware attack in 2011, which locked users out of their computers because they supposedly violated laws. They weren’t allowed access again until they paid a fine.

2017’s WannaCry ransomware attack was one of the first widespread ransomware attacks, affecting 150 countries and 200,000 devices. This targeted Windows devices and demanded payment in bitcoin.

2018 marked the rise of targeted attacks. With this came the evolution of ransomware into the modern era of ransomware in the 2020s, according to Montenegro. The main feature of this era is the increased use of ransomware-as-a-service (RaaS), which allows anybody to be a threat actor in the ransomware space — no matter the experience level.


RaaS is the initial foothold into weaponizing ransomware on a large scale, Montenegro said. This leads to network propagation and discovery, which leads to action on the objective and carrying out a ransomware attack.

Distributed denial of service (DDoS) is associated with ransomware because of the harassment of consumer and data exfiltration.

Now that RaaS has become a regular occurrence, government agencies have started to step in and take steps to mitigate these attacks, such as:

  • Recovery – The Department of Justice has been slowly recovering.
  • Forensics – The Financial Crimes Enforcement Network (FinCEN) is starting to get involved.
  • Sanctions – The Office of Foreign Assets Control (OFAC) has begun applying sanctions on ransomware actors.
  • Counter measures – Ransomware actors have started to use monero (privacy-enhancing cryptocurrency), mixers and chain-hopping to avoid being caught.

The economics of ransomware

Ransomware continues to be a top-level concern and is growing year-over-year, with phishing being the primary area of compromise. Because of poor security practices, exploits occur fairly often. Ransomware actors have budgets, and the basic process is similar to kidnappings for a ransom.

However, there’s a major difference between the expenses of a ransomware attack and the cost of that attack on the company. The cost to execute a ransomware attack is low, whereas the lost productivity and overhead are extremely costly for a company to take on.

With ransomware attacks, there is no guarantee of recovery, and “reinfection” could happen. This, combined with the externality of law enforcement, makes it difficult to protect against these types of attacks.

The CISO balancing act

Because of how widespread ransomware is, companies must work to secure all systems to the best of their ability. The chief information security officer (CISO) is crucial in leading the security team and looking at ransomware as a key scenario for planning.

At the C-suite level, a CISO is responsible for interpreting risk management, contextualizing ransomware, coordinating a response and evaluating resiliency. When communicating with the chief information officer (CIO), it is important for the CISO to discuss the importance of a ransomware readiness review.

At the level of engineering, research and design, CISOs must discuss threat modeling to help better prepare if an attack were to take place.

When communicating to the rest of an organization, a CISO should educate employees on best practices to mitigate future events.

At the customer level, it is important for a CISO to have open lines of communication, which would be important in the event that data — especially consumer data — is taken for ransom.

With the core information technology (IT) team, a CISO must help lead in improving endpoint security and using their existing capabilities to their fullest extent, according to Montenegro. They should also begin to watch user behavior and monitor anything that is out of place. This behavior-based detection method can help with spotting an attack before it happens.




Keep your finger on the pulse of top industry news